add an option to set up a minimal /dev
(high level design)
This will unmount the outside /dev to help remove access to existing
device nodes, and then set up a small tmpfs over /dev with a minimal
set of safe/common nodes. Most daemons do not need more than these.
(low level details)
In order to support common use cases like passing in one or two extra
device nodes (e.g. /dev/log), we cannot mess with /dev directly. We
create a temporary directory, create all our nodes in there, then add
any bind mounts into /dev to that path. Then just before we chroot
or pivot, we move the mount from its temp location to the final /dev.
Bug: chromium:680859
Test: `sudo ./minijail0 -rvpd /bin/ls -l /dev/` shows reduced # of files
Test: `sudo ./minijail0 -rvpd /bin/grep /dev /proc/mounts` shows only one /dev mount
Test: `sudo ./minijail0 -rvpd -C / -b /dev/log,/dev/log /bin/logger asdf` allows logging to work
Test: `sudo ./minijail0 -rvpd -C /var/empty -b /,/ -b /dev/mixer,/dev/mixer /bin/ls -l /dev/` shows /dev/mixer
Change-Id: Ie91869971baffde0b86c5d244c584e45099abe7e
4 files changed
